On the present challenge, level18, there are three ways of exploiting the program. I’m going to take the easiest one
What you’ll need to know…
- –rcfile option
Level18
After analyzing the code presented, I was able to identify one vulnerability on login function. In this function, the program tries to open the password file, present in /home/flag18. If you can open it, you’ll have a file pointer to the password file, but if it can’t, it’ll log you in without any password.
So, the trick here is to use up every file descriptor available in the system. To check the number of file descriptors in use and the maximum, one can use the command sysctl fs.file-nr.
My approach will be: create an SSH connection to the level18 account and start the flag18 program, before we exhaust the system. Then, I’ll write a small program that creates many file descriptors and never destroy them (open a file without close it), and run it. After this I’ll return to my SSH connection and type the login command. Because there are no more file descriptors available it’ll log me in. Let’s see if this worked.
Let’s run for i in {1..200}; do ./level18 & done in order to use every file descriptor.
Here you can see that the system can’t create more file pointers.
So we can start a shell, and because we are already logged in, we need to kill all the processes created before. For this, use for i in {1..200};do kill "%$i"; done.
Now, start a shell.
From here we can get already the flag.
Or we can see the password (I tried to login with this password but I couldn’t).
We can even compile a SUID program…
Now we can exit this shell and run our SUID, so we don’t have the trouble to do all the previous steps in order to get a shell.
Only one challenge left!
Challenges completed: 19/20
Mitigation
Delete the code that allows to login without password?